ISe with NAC agent pop up and Posture waiting

Similar Messages

• Please help me. I just cleaned the disk and, when I clicked to install new OS X mavericks a screen with apple id popped up and said that I need to put apple id that purchased the OS X.

  Please help me. I just cleaned the disk and, when I clicked to install new OS X mavericks a screen with apple id popped up and said that I need to put apple id that purchased the OS X.

  How did youobtain OS X?

• Upon startup, restore windows... window is flashing with finder icon popping in and out of dock. computer will not allow any selection. What should I do?

  On my 2009 Mac Pro, 10.7.5 upon startup, restore windows... window is flashing with finder icon popping in and out of dock. computer will not allow any selection. I'm hoping someone may know a solution.

  http://www.apple.com/support/lion/installrecovery/
  http://support.apple.com/kb/HT4718
  https://support.apple.com/kb/DL1433
  http://reviews.cnet.com/8301-13727_7-20081109-263/recovery-options-for-macs-runn ing-os-x-lion/
  https://www.apple.com/macosx/recovery/
  http://support.apple.com/kb/HT4848

• Every time I press F6, my backlit keyboard key, a circle with a cross pops up and won't let me turn on my backlit keyboard ??

  Every time I press F6, my backlit keyboard key, a circle with a cross comes on and wont let me turn on or up my light behind my keybored... any ideas ?

  nevermind. your backlit keyboard wont work in a light environment

• NAC agent 4.9 and WES7

  I am trying to find a support matirx for Windows client support in 4.9 I see where the newest release supports WIndows 8 and IE10. I do not see support for Windows embedded. Is this supported?                  

  It looks like we have the issue resolved for this computer. When installing 4.9.1.5 directly the problem occurs, however when upgrading from 4.9.0.33 to 4.9.1.5 the problem is not replicated. Very odd, and frankly a waste of my morning.

• Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?

  Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?
  -My customer does not want to push NAC Agent installation on BYOD type of computers (non-managed by the company computers).
  -The requirement is to check for posture only company owned wired, wireless, and VPN connected Windows computers. The rest of the endpoints should be considered as posture incompliant, and limited access to the network should be allowed.
  -No certificates are used.
  -I’ve configured the required posture check, and it all works fine if a PC has NAC Agent manually installed (without ISE Client Provisioning). However, when I use a PC without NAC Agent, it is redirected to Client Provisioning Portal and is stuck there as Client Provisioning is deliberately not configured in ISE.
  -If I remove Posture Remediation Authorization Profile that does URL redirect, the posture does not work.
  -For now I'm testing it on wired endpoints.
  Is there a way to configure ISE to fulfill the listed above requirements?
  Any ideas would be appreciated.
  Thanks,
  Val Rodionov

  Everyone who finds reads this article,
  I'm answering my own quesiton "Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?"
  The answer is Yes.
  After doing research and configuration testing I came up with a solution, and it works fine for wired and VPN connections. I expect it to work on wireless endpoints as well.
  ISE configuration:
  Posture General Settings - Default Posture Status = NonCompliant
  Client Provisioning Policy - no rules defined
  Posture Policy - configured per requirements
  Client Provisioning (under Administration > Settings) - Enable Provisioning = Enable (it was disabled in my first test)
  Authorization Policies configured as regular posture policies
  The result:
  After successful dot1x authentication posture redirect happens. If the PC does not have NAC Agent preinstalled, the browser is redirected to Client Provisioning Portal and a default ISE message is displayed (ISE is not able to apply and access policy... wait one minute and try to connect again...). At the same time, the endpoint is assigned NonCompliant posture status and proper authorization policy is applied. This is what I wanted to achieve.
  If NAC Agent was preinstalled on the PC, after successful dot1x authentication the NAC Agent pops up and performs posture check. If posture is successful, posture compliant authorization policy is applied. If posture check fails, NonCompliant posture status is assigned and posture non-compliant authorization policy is applied. Which is the expected and needed result.
  The only part that is not perfect it the message displayed to the end-user when posture is about to fail. I did not find a place to change the text of that message. I might need to open TAC case, so this file can be manually found and edited from CLI (root access).
  Best,
  Val Rodionov

• Cisco ISE NAC agent and Microsoft roaming profiles

  Hi there,
  I have installed Identity services engine version 1.1.3 in didstributed mode. The NAC agent is installed on the end user PC joined to the domain. when a user with a roaming profile logs into the PC, the NAC agent fails to run posture assesment, but if a user with non-roaming profile logs in, the NAC agent does posture and full network access is granted.
  Is there something i need to do to enable the NAC agent to perform posture for users with a roaming profile.
  Regards,
  Henry

  Hello,
  I found the following from the cicso doc. Hope it helps!
  The following failure  scenarios might cause the Cisco NAC Agent to appear following successful  user authentication when the client machine roams between CASs in Layer  3 (both In-Band and Out-of-Band) and Layer 2 /Layer 3 Out-of-Band  environments. Erroneous Agent login dialogs could also appear if users  roam from the Cisco NAC Appliance network in Layer 3 mode to a non-NAC  network:
  –ARP poisoning
  –Temporary loss of network connection between the client machine and the CAS
  –Access to untrusted interface IP address on the CAS from non-NAC network segments on NAC-enabled client machines
  Cisco offers the following recommendations to prevent this situation:
  –Ensure  all trusted networks (post-authentication) can reach the CAS untrusted  interface IP address through the CAS trusted interface only
  –Block  discovery packets from all non-NAC networks to the CAS untrusted  interface IP address (discovery packets that arrive on the trusted  interface of the CAS are blocked by default)
  For more information please refer to the following link:
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_agntd.html

• Determining which NAC Agent to use for ISE

  We are planning an upgrade to our ISE environment from 1.1.4 to 1.2. I have downloaded the agent that is recommended for 1.2 (NAC Agent 4.9.4.3) to begin testing with it. Unfortunately the first test I run is using that client against our ISE 1.1.4 servers. It doesn't work! It runs sporadically at best, taking up to 3 minutes to pop up and posture the system. Other times, I give up, after 20 minutes of waiting, and it never runs. This is quite a spot, I do not want to upgrade the ISE system to 1.2, then run into an issue and have to mass upgrade over 2000 clients all at once to get them running. My hope was to upgrade to the NAC Agent prior to the ISE upgrade but unfortunately that has been short circuited.
  So my question is, has anyone run ISE 1.2 with NAC Agent 4.9.1.6? That is what we are currently using, as it runs well against both ISE 1.1.4, and NAC 4.9.1 (which is still used for our wired environment). We need to find an agent we can use to bridge us from the time we upgrade ISE to 1.2, and the time we bring our wired environment into the ISE fold and remove NAC appliance. I should note, ironically, that 4.9.4.3 NAC Agent runs flawlessly against the NAC 4.9.1 appliance. The issue is running that NAC Agent against ISE 1.1.4. That is ecactly the opposite of what I would have guessed! Please help!
  Jeff

  Yes sir, I am aware of that recommendation, however once I downloaded and started testing several clients with that version, none of them run well, if at all, against 1.1.4 which is the current production version we run in our environment. So I would have to either upgrade all 2000 clients immediately after we upgrade or ISE system to 1.2, or take a chance that our current agent (4.9.1.6) will run against ISE 1.2. I was hoping to find a recommendation of an agent version that runs well against both ISE 1.1.4 and ISE 1.2 so we could upgrade the clients at a controlled rate prior to upgrading ISE to 1.2

• ISE 1.2 and Posture Report Before Login

  Hi everyone,
  Is it possible for the ISE 1.2 NAC/Posture agent to submit a posture report before user login on a Windows desktop system?
  We're trialling ISE 1.2, performing machine based authentication using EAP-TLS/Certificates. On top of this we are also using the posture agent and do not grant access until a 'compliant' posture report is received.
  Currently when a desktop powers up the posture status is 'pending' and this does not change until the user logs in, the NAC agent submits a successful posture report. This can take quite a few minutes leaving the user in a state of limbo where they have logged in to the computer but they must wait for the posture report.
  I see the NacAgent service runs as system, but the NACAgentUI.exe does not and only starts with the user logs in.
  Thanks,
  Mark

  That is correct, the nac agent is unaware of what policies exist in your ISE design. It's sole purpose is to start when the services allow it to do so and then send the information about the services and AV information it can gather so ISE can make a decision on whether the client is compliant or not compliant, it can then take direction on how to remeidate the client when it fails. There is nothing you can configure from ISE that will allow you to run the nac agent before user login.
  In the end when the nac agent makes into the anyconnect secure mobility client you might have hope there since there are some start before login vpn features, but I do not see the nac agent adopting this any time soon. You should however still work with your Cisco Account team on doing some research with the BU on your behalf, this could benefit alot of nac customers.
  thanks,
  Tarik Admani
  *Please rate helpful posts*

• NAC Agent Login Dialog Not Appearing - ISE 1.1.1 issue ?

  Agent Fails to Initiate Posture Assessment
  The NAC agent is properly installed on a Windoes 7 , IE 9 machine, the certificates from ISE ADM PRI are installed in trustable certificate store in the client machine but is a selfsigned ISE certificate.
  The reports / USER / Profiling report says the Provisioning Agent has completed the assessment ok.
  The redirected URL is working fine (SEE Evidence)
  We are always prompted to install the NAC agent again or looking at the additional prompted information wait for the NAC agent to load and complete.
  The operations status remains with postering status pending forever and nothing else happens.
  Symptoms or Issue
  The agent login dialog box does not appear to the user following client provisioning.
  Conditions Cisco Says this issue can generally take place during the posture assessment phase of any user
  authentication session.
  Cisco Advises as Possible Causes There are multiple possible causes for this type of issue. See the following
  Resolution descriptions for details of what was already tested by us and please see the atached files for your switch configuration and evidences. .
  CISCO SUGGESTED POSSIBLE CAUSES AND RESOLUTIONS
  Resolution • Ensure that the agent is running on the client machine. ALL TESTED OK
  • Ensure that the Cisco IOS release on the switch is equal to or more recent than
  Cisco IOS Release 12.2.(53)SE. - OK
  • Ensure that the discovery host address on the Cisco NAC agent or Mac OS X
  agent is pointing to the Cisco ISE FQDN. (Right-click on the NAC agent icon,
  choose Properties, and check the discovery host.) - OK (See evidence)
  • Ensure that the access switch allows Swiss communication between Cisco ISE
  and the end client machine. Limited access ACL applied for the session should
  allow Swiss ports: ALL CONFIGURED as CISCO GUIDELINES OK (SEE EVIDENCE)
  • If the agent login dialog still does not appear, it could be a certificate issue.
  Ensure that the certificate that is used for Swiss communication on the end client
  is in the Cisco ISE certificate trusted list. (ALL CHECKED OK SEE EVIDENCE)
  • Ensure that the default gateway is reachable from the client machine. (TESTED OK)

  Hi.
  Can you paste all the ACLs on your switch especially the webauth redirect ACL which should deny traffic towards the PSN.
  regards
  Zubair

• NAC Agent does not pop up after psn fails.

  So I'm in the middle of a deployment where I have 4 ISE appliances, two in one location and two in another location.
  The first location has 2 with all personas installed, whereas the other two are only PSN. In each area, NAC agent pops up normally after connecting/swapping to wired or wireless networks. During HA tests I have encountered that when the two ISE from the remote area fail (shutdown switch port for testing of course) the client does get authenticated but it stays in the POSTURE_REQ state on wireless and the Agent fails to pop up.
  - I have tried forcing the servers on the profile on ISE (provisioning) and I can see how it is somehow updated on the xml configuration file in the remote endpoint but still the nac agent wont pop up.
  - Increased timeout timers also, no luck.
  - Reinstalled NAC agent manually and by ise auto provisioning, no luck.
  - Ran a wireshark capture and saw requests sent to the default GW with the positron thing but never get an answer, but then I try connecting to the ISE manually https://(ADMIN_NODE_FAR_FROM_ENDPOINT)/guestportal/gateway?sessionId=(gibberish)&action=cpp and it works, so it is reachable from the endpoint
  I believe there is some kind of sync problem, my ISE are in UTC time and NADs have local timezone, but then why does it work locally??
  Any thoughts on this?
  Thank you for all your kind help

  You have done a reset. What does that mean? Did you reset all settings?
  Settings>General>Reset>Reset all Settings. You will have to enter all device settings again.

• ISE - NAC agent profile

  Dears
  I want to deploy NAC agent via GPO and I need to create agent profile , I know how to create it on ISE but how i get the file in xml format to be distributed ?

  You can try installing only one PC (either by manual installation or by captive portal). If you have configured the posture rules in ISE then the NAC Agent automatically contacts the ISE server and downloads the last NACAgentcfg.xml available.
  Then you could browse the following directory and find the NACAgentcfg.xml file in your PC.
  C:\Program Files (x86)\Cisco\Cisco NAC Agent
  After that you can mass deploy the NAC agent along with the xml file. Although is not mandatory to deploy the xml file  because as a I said, every time there's a posture rule the NAC agent will download the last NACAgentcfg.xml available from ISE server.
  Please rate if it helps.

• NAC Agent only prompts for username and login on wireless

  Another question for the smart people of the world.
  I have had a couple laptops where the cisco NAC agent will prompt for a password and verify the computer via the wirless network but when I try to do that on the wired network, it sends me to the download page for the NAC agent. It doesnt seem to register that the NAC agent is installed and working even though it is.
  Any thoughts?
  Thanks

  Hi Jonathan,
  The NAC agent communicates with the CAS usiing the SWISS protocol. This protocol uses port 8095 for L2 adjacent devices to the CAS and 8096 protocol for L3 adjacent devices to the CAS.  Have you checked if these ports are allowed through to the CAS for the wired clients?  Do check the support logs on the CAM and CAS suggest something. If you can post the agent logs from the wired clients I could analize and let you know where the process is failing.
  Do let me know if this helps.
  Regards,
  Som

• My safari has random pop ups and opens new ad tabs

  Hi there!
  Ever since a few days I have some issues with random advertisements, pop-ups and my safari even opens up new tabs, when I open up another tab. It's really annoying and I read that it could be a virus that's constantly changing, so 'old' solutions might not be applicable anymore, so that is why I am opening a new discussion. Also, I read about firstly making a back-up, does this need to be done with an external hard drive?
  Thanks so much in advance!
  These are print screens of the pop ups

  There is no need to download anything to solve this problem.
  You may have installed the "VSearch" trojan. Remove it as follows.
  Malware is always changing to get around the defenses against it. These instructions are valid as of now, as far as I know. They won't necessarily be valid in the future. Anyone finding this comment a few days or more after it was posted should look for more recent discussions or start a new one.
  Back up all data before proceeding.
  Step 1
  From the Safari menu bar, select
            Safari ▹ Preferences... ▹ Extensions
  Uninstall any extensions you don't know you need, including any that have the word "Spigot," "Trovi," or "Conduit" in the description. If in doubt, uninstall all extensions. Do the equivalent for the Firefox and Chrome browsers, if you use either of those.
  Reset the home page and default search engine in all the browsers, if it was changed.
  Step 2
  Triple-click anywhere in the line below on this page to select it:
  /Library/LaunchAgents/com.vsearch.agent.plist
  Right-click or control-click the line and select
            Services ▹ Reveal in Finder (or just Reveal)
  from the contextual menu.* A folder should open with an item named "com.vsearch.agent.plist" selected. Drag the selected item to the Trash. You may be prompted for your administrator login password.
  Repeat with each of these lines:
  /Library/LaunchDaemons/com.vsearch.daemon.plist
  /Library/LaunchDaemons/com.vsearch.helper.plist
  Restart the computer and empty the Trash. Then delete the following items in the same way:
  /Library/Application Support/VSearch
  /System/Library/Frameworks/VSearch.framework
  ~/Library/Internet Plug-Ins/ConduitNPAPIPlugin.plugin
  Some of these items may be absent, in which case you'll get a message that the file can't be found. Skip that item and go on to the next one.
  The problem may have started when you downloaded and ran an application called "MPlayerX." That's the name of a legitimate free movie player, but the name is also used fraudulently to distribute VSearch. If there is an item with that name in the Applications folder, delete it, and if you wish, replace it with the genuine article from mplayerx.org.
  This trojan is often found on illegal websites that traffic in pirated content such as movies. If you, or anyone else who uses the computer, visit such sites and follow prompts to install software, you can expect more of the same, and worse, to follow.
  You may be wondering why you didn't get a warning from Gatekeeper about installing software from an unknown developer, as you should have. The reason is that the Internet criminal behind VSearch has a codesigning certificate issued by Apple, which causes Gatekeeper to give the installer a pass. Apple could revoke the certificate, but as of this writing has not done so, even though it's aware of the problem. This failure of oversight has compromised both Gatekeeper and the Developer ID program. You can't rely on Gatekeeper alone to protect you from harmful software.
  *If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination  command-C. In the Finder, select
            Go ▹ Go to Folder...
  from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return.

• NAC Agent Login Trouble

  I'm a student at Georgia Southern University.  I use a Lenovo X200 Tablet with Windows 7 Ultimate 32-bit.  Up until last week I had no trouble with NAC agent logging into my university's network.  Since last monday or so, when I log in it says I have to update current windows, but Windows is totally up to date, including optional updates, everything but language packs.
  I've tried system restore, I've tried fixing registry issues, I've scanned for viruses, Re-updated windows, and reinstalled NAC agent.  Nothing seems to work, it just won't recognize I'm up to date.  I took it to my IT department (resnet), and they didn't help at all.
  Any ideas on how to fix this?

  Jonas,
  Sorry for the late reply. Can you ask your university IT folks, as to what the failure report shows for your PC in their CCA reports section? The key thing to look for is whether it's a particular update that CCA is hanging up on or not.
  Please advise.
  Thanks,
  Faisal